Tip:
Highlight text to annotate it
X
http://www.youtube.com/watch?v=toOaZKUxL00 Mobile App Security - OWASP and Other Ways
to Get Started
Mike: A couple of things I've already talked about have already come off the OWASP top
ten list for mobile, which is a list that myself, Jack Lanier, Zack Mannino, and a number
of other people in the application security community collaborated on to put together
this list of top ten risks for mobile.
Pete: Yea, OWASP is a great organization.
Mike: OWASP.org
Pete: And highly recommended for all the geeks out there that want to learn more security
in general- application security specifically. There's projects- one that covers mobile that
you mentioned, that you're involved in. And a wealth of other resources and information
there. So I highly recommend that geeks out there check that out.
Mike: So, one of the things- and it's actually number two on the OWASP mobile top ten is
to- the number two risk is essentially weak server side controls. So, I just consider
it a pointer to the original OWASP top ten for web applications, which was a widely accepted
list of standards- standard risks and vulnerabilities in web applications. It's something that other
compliance organizations have taken to- for example, PCI- to be PCI compliant, you need
to be scanned and assessed by the OWASP top ten list. So, when we're writing these new
mobile applications, we need to remember that it's not just code going on the client anymore.
It's potentially a whole new server side infrastructure and either a SOAP based web service or RESTful
service. And, these new pieces of technology are ripe for attack. It's funny, when the
iPad's first came out, within the first couple of days there was the first "Pad hack" where
all sorts of private details and data about the initial customers who received their iPads
was made public. It was essentially publicly available on the internet. And the reason
for this was, essentially, poor server side controls. There was no access control on these
web services that the iPad was communicating with. So, people could just bypass the iPad,
fire up a web browser, talk directly to the web service and extract all this data. And
that was labeled as an iPad hack, when really it's kind of the same thing we've been dealing
with for well over a decade now. SQL injection, info validation attacks, improper authorization,
lack of access control.
Pete: So, if I'm not starting from scratch- what if I'm a developer and I already have
a mobile application out and maybe I didn't think through some of these architectural
or sensitive data storage on the- maybe I didn't think through all those issues when
I was originally architecting my app. What's the first thing I should do to try to secure
an existing mobile application?
Mike: Sure. I would perform a code review for security, where someone looks at the code,
line by line, manually, and assesses that code based on the current OWASP top ten risks
for mobile apps.
Pete: So, I could do this myself as a developer, it's not necessary to hire and expensive security
consultant. I could go to the OWASP and search or work my way through the top ten and do
a code review of my own application for that.
Mike: Certainly. I mean, something as simple as data storage on the device- you know if
you're storing sensitive data on the SD card. If you see yourself doing that, that's bad
because that's basically a public location on the device and the application could access
it. So, yea, I think it's certainly doable for a developer to start working through these
risks and analyzing their own code.
Pete: How can the geeks reach out to you if they have questions about application security?
Mike: Sure. Well, you can always just Google me, Mike Zusman, and a number of things will
pop up. My blog will pop up. You can also find me on Twitter. My handle is @schmoilito,
which is not as easily spelled.
Pete: I think I always forget that last I. And, the name of your company is Carve Systems?
Mike: Carve Systems, yes.
Pete: Great. Awesome. Well, thanks for chatting.
Mike: Yea, thanks, Pete.
Pete: Security's a great topic. It's something I want to cover more, like I said, in future
episodes. So, maybe we'll bring you back and do a deeper dive into something OAuth related
perhaps.
Mike: Sure, definitely. Thanks for having me.